Overview

overview

10

Static

static

3

34b5a5e26c...18.dll

windows7-x64

10

34b5a5e26c...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240730-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240730-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29-07-2024 03:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    34b5a5e26c1fc9cb86f772e8984ef966_JaffaCakes118.dll

  • Size

    1.2MB

  • MD5

    34b5a5e26c1fc9cb86f772e8984ef966

  • SHA1

    04c065da296af65d4d6217a984494239127ca651

  • SHA256

    3e6d8d1cbcc0301f55df11d1ed8889cd73920d683488f95bfaaef68cc795e2fe

  • SHA512

    b8ee5e509d1091a99b2f2b8523b3203f236d2ccc68a3be13b297018ab17c9c53bfc12b19888d096a15ce4dd6812a8177180d94c4b16bd71cc0320e918b37edaf

  • SSDEEP

    24576:GuYfg4LhHr4NFXKJO1aUiDBvZ2+ITHmpclO9Nxt:m9cKrUqZWLAcU

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\34b5a5e26c1fc9cb86f772e8984ef966_JaffaCakes118.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:4064
  • C:\Windows\system32\raserver.exe
    C:\Windows\system32\raserver.exe
    1⤵
      PID:4952
    • C:\Users\Admin\AppData\Local\lyhBikp\raserver.exe
      C:\Users\Admin\AppData\Local\lyhBikp\raserver.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:5104
    • C:\Windows\system32\RdpSaUacHelper.exe
      C:\Windows\system32\RdpSaUacHelper.exe
      1⤵
        PID:3268
      • C:\Users\Admin\AppData\Local\ga5J9\RdpSaUacHelper.exe
        C:\Users\Admin\AppData\Local\ga5J9\RdpSaUacHelper.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:5004
      • C:\Windows\system32\RdpSaUacHelper.exe
        C:\Windows\system32\RdpSaUacHelper.exe
        1⤵
          PID:3956
        • C:\Users\Admin\AppData\Local\e0bFRdpqT\RdpSaUacHelper.exe
          C:\Users\Admin\AppData\Local\e0bFRdpqT\RdpSaUacHelper.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:536

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\e0bFRdpqT\WINSTA.dll
          Filesize

          1.2MB

          MD5

          6b59e828ea6d3a6ecbcb63f9bdaa1a77

          SHA1

          0fc3e9b01436813260643a96f152c8f2bf661443

          SHA256

          7af7b5784209061724cffef65a6871c354c38840f999d70aed4baeff9abf0c73

          SHA512

          9a7cd4ad831dc79eefff89c5b8fb54a35e4ac758747decd4ee4cff610f61c8f0a45636a19b23d85180927fff3a691946780abf3f4166987efaad1862dd56cf9b

          Download Submit

        • C:\Users\Admin\AppData\Local\ga5J9\RdpSaUacHelper.exe
          Filesize

          33KB

          MD5

          0d5b016ac7e7b6257c069e8bb40845de

          SHA1

          5282f30e90cbd1be8da95b73bc1b6a7d041e43c2

          SHA256

          6a6fdd834af9c79c5ffc5e6b51700030259aeae535f8626df84b07b7d2cee067

          SHA512

          cd44d8b70fc67c692e6966b4ad86a7de9c96df0bade1b3a80cb4767be159d64f3cc04dc5934f7d843b15101865089e43b8aecabddc370b22caf0c48b56b3430e

          Download Submit

        • C:\Users\Admin\AppData\Local\ga5J9\WINSTA.dll
          Filesize

          1.2MB

          MD5

          ec558af5bba9df3fcdaa96ae6644b204

          SHA1

          a159996259f7ab7bd8a6bf47b79a0ccbbacc497a

          SHA256

          8658ae7db053e84fb731487d532a5049675a14789e7abaf7dc97165534316ece

          SHA512

          9cc5b70845d2c34632f9e36430b95a401eda1873da3d51b0cb0f9186cd455e9357b7db05538c40ecfb9c98d4a2875be63174cefe18d246064efc13c6c41d11b3

          Download Submit

        • C:\Users\Admin\AppData\Local\lyhBikp\WTSAPI32.dll
          Filesize

          1.2MB

          MD5

          e6edd2ff33b8745f0c4b057bf9b1cf0a

          SHA1

          8f21cb7419c315653ce05bd3e1e2dfc91d5e73d5

          SHA256

          389e14f1e783db8eb267a5b5a5aed01b142fadfdd566a76e9cacff710a36545c

          SHA512

          f8117e6d2aebf7bb4abd47946b17e325b0018a929bd1e0c22530caaf53e57fc6aac31294caf14598b4d224ba5683c904991cc87a9e126cde5705077adc846384

          Download Submit

        • C:\Users\Admin\AppData\Local\lyhBikp\raserver.exe
          Filesize

          132KB

          MD5

          d1841c6ee4ea45794ced131d4b68b60e

          SHA1

          4be6d2116060d7c723ac2d0b5504efe23198ea01

          SHA256

          38732626242988cc5b8f97fe8d3b030d483046ef66ea90d7ea3607f1adc0600d

          SHA512

          d8bad215872c5956c6e8acac1cd3ad19b85f72b224b068fb71cfd1493705bc7d3390853ba923a1aa461140294f8793247df018484a378e4f026c2a12cb3fa5c9

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Rlbqg.lnk
          Filesize

          1KB

          MD5

          73dd1de4624d5249b9d4e527270e2eb8

          SHA1

          ce2fa4c892e07e3d6e0319fdeb25987533147db8

          SHA256

          582b6f1303fc6428b94d0c270dcecb78b1ae7d0ce8066dd0f800ea6bae1091d6

          SHA512

          8a244c6f35e8add094072091bf38b88085da8d36ce4b2e658db0475d7b3d26bd53ea34f900fd3e1e3f414f1cc31b87e784fe81372276898c54518febdee27c2a

          Download Submit

        • memory/536-86-0x00007FF81A3D0000-0x00007FF81A503000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/536-83-0x00000184ABFB0000-0x00000184ABFB7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3456-8-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3456-36-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3456-15-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3456-13-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3456-12-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3456-11-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3456-10-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3456-9-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3456-4-0x0000000002480000-0x0000000002481000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3456-7-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3456-16-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3456-6-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3456-29-0x0000000000950000-0x0000000000957000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3456-28-0x00007FF8230AA000-0x00007FF8230AB000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3456-14-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3456-24-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3456-30-0x00007FF823FB0000-0x00007FF823FC0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/4064-39-0x00007FF81A3D0000-0x00007FF81A501000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/4064-1-0x00007FF81A3D0000-0x00007FF81A501000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/4064-3-0x0000025922970000-0x0000025922977000-memory.dmp

          Filesize

          28KB

          Download

        • memory/5004-66-0x0000015C0A180000-0x0000015C0A187000-memory.dmp

          Filesize

          28KB

          Download

        • memory/5004-63-0x00007FF81A3D0000-0x00007FF81A503000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/5004-69-0x00007FF81A3D0000-0x00007FF81A503000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/5104-52-0x00007FF81A3D0000-0x00007FF81A502000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/5104-49-0x0000022DB1A40000-0x0000022DB1A47000-memory.dmp

          Filesize

          28KB

          Download

        • memory/5104-46-0x00007FF81A3D0000-0x00007FF81A502000-memory.dmp

          Filesize

          1.2MB

          Download